Reflector and Amplification Attacks

In contrast to DDoS attacks, Reflector and Amplification attacks use network systems functioning normally. The attacker sends a network packet with a spoofed source address to a service running on some network server. The sever responds to this packet, sending it to spoofed source address that belongs to actual attack target. If the attacker sends a number of requests to a number of servers, all with the same spoofed source address, the resulting flood of responses can overwhelm the target’s network link. There are two basic variants of this type of attack. Reflection Attacks and Amplification Attack.

Reflection Attack is direct implementation of this type of attack. The attacker sends packets to a known server with spoofed source address of actual target system. When the server responds, the response is sent to the target. This reflects the attack off the server which acts like reflector that is why this attack is called reflector attack.

 

 

Amplification attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to machines which acts like reflectors. They differ in generating multiple response packets for each original packet sent. In DNS amplification, the attacker crafts a small DNS message, usually 60-80 bytes, with a victim’s spoofed IP address and sends it to an open DNS resolver to trigger a response DNS message back to the victim’s address. The response is usually 2000-3000 bytes, an amplification factor that is approximately 60 times the original value. This amplification can significantly increase the volume of traffic that the victim receives.